Connecting Clustered firewalls to two cisco ports?

Hi,

I need to connect two clustered Checkpoint Firewalls (HA,
hot standby)
to a cisco router, but _not_ with a switch between. The
firewalls are
to be directly connected to two seperate ports at the Cisco
router.

Does anybody happen to know how to configure the Cisco in
order to
search for the virtual ip address on two separate ports?
(i.e. route
the traffic to the virtual address to both router
interfaces)

regards
Hadmut

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

I know some Cisco stuff although I'm no expert, but as far
as I know a Cisco
router would not allow you to do such thing, it expects each
interface to
belong to a different network and is expected for you to
have a switch or
hub behind it to make the network distribution to other
hosts.
A while ago I read something about a feature called
something like "ether
channel", that allowed for a two ports on a router to
be used as a single
one to increase throughtput, but since I don't know details
about that, I
rather suggest for you to get a switch.

BTW... why is it that you don't want to put a sw o hub
between the cluster
and the router?

On 9/22/06, Hadmut Danisch <hadmutdanisch.de> wrote:
>
> Hi,
>
> I need to connect two clustered Checkpoint Firewalls
(HA, hot standby)
> to a cisco router, but _not_ with a switch between. The
firewalls are
> to be directly connected to two seperate ports at the
Cisco router.
>
> Does anybody happen to know how to configure the Cisco
in order to
> search for the virtual ip address on two separate
ports? (i.e. route
> the traffic to the virtual address to both router
interfaces)
>
> regards
> Hadmut
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Yes, it can be done BUT you have to purchase a cisco
Integrated Switch Router (ISR).
  The Cisco ISR router has a NM-slot that will alow you to
put in a 16 switchport module
  so that the router can also function as a switch (i.e
layer 2) as well.  If you're 
  familiar with Cisco Pix501 then you will know what I mean.
 the Pix501 comes
  with an integrated 4-port switch on the
"inside" interface.  Same idea with the
  Cisco ISR router with the exception that you can use up to
16-switchport network
  module.  
   
  Either the Cisco ISR 2845 or Cisco ISR 3845 will let you
do this.  Because
  this is a switch, everything from the Nokia will be
connected to layer-2 and they 
  will be able to communicate with each other via vrrp.
   
  HTH.
  cisco4ng

Sergio Alvarez <seralvarGMAIL.COM> wrote:
  I know some Cisco stuff although I'm no expert, but as
far as I know a Cisco
router would not allow you to do such thing, it expects each
interface to
belong to a different network and is expected for you to
have a switch or
hub behind it to make the network distribution to other
hosts.
A while ago I read something about a feature called
something like "ether
channel", that allowed for a two ports on a router to
be used as a single
one to increase throughtput, but since I don't know details
about that, I
rather suggest for you to get a switch.

BTW... why is it that you don't want to put a sw o hub
between the cluster
and the router?

On 9/22/06, Hadmut Danisch wrote:
>
> Hi,
>
> I need to connect two clustered Checkpoint Firewalls
(HA, hot standby)
> to a cisco router, but _not_ with a switch between. The
firewalls are
> to be directly connected to two seperate ports at the
Cisco router.
>
> Does anybody happen to know how to configure the Cisco
in order to
> search for the virtual ip address on two separate
ports? (i.e. route
> the traffic to the virtual address to both router
interfaces)
>
> regards
> Hadmut
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


 		
---------------------------------
 All-new Yahoo! Mail - Fire up a more powerful email and get
things done faster.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Sat, Sep 23, 2006 at 01:32:42PM -0600, Sergio Alvarez
wrote:
> 
> BTW... why is it that you don't want to put a sw o hub
between the cluster
> and the router?

Customer Request. The Customer does not want to setup a high
availability firewall on one hand, and then add another
single point
of failure on the other hand.


regards
Hadmut

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================